42-5
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter42 Getting Started with Application Layer Protocol Inspection
Default Settings
The default policy configuration includes the following commands:
IP Options RFC 791, RFC
2113
All IP Options traffic is matched in the
default class map.
MGCP UDP/2427,
2727
No extended PAT. RFC 2705bis-05
MMP TCP 5443 No extended PAT.
NetBIOS Name
Server over IP
UDP/137,
138 (Source
ports)
No extended PAT. NetBIOS is supported by performing
NAT of the packets for NBNS UDP port
137 and NBDS UDP port 138.
PPTP TCP/1723 RFC 2637
RADIUS
Accounting
1646 RFC 2865
RSH TCP/514 No PAT Berkeley UNIX
RTSP TCP/554 No extended PAT.
No outside NAT.
RFC 2326, 2327,
1889
No handling for HTTP cloaking.
SIP TCP/5060
UDP/5060
No outside NAT.
No NAT on same security
interfaces.
No extended PAT.
RFC 2543
SKINNY
(SCCP)
TCP/2000 No outside NAT.
No NAT on same security
interfaces.
No extended PAT.
Does not handle TFTP uploaded Cisco
IP Phone configurations under certain
circumstances.
SMTP and
ESMTP
TCP/25 RFC 821, 1123
SNMP UDP/161,
162
No NAT or PAT. RFC 1155, 1157,
1212, 1213, 1215
v.2 RFC 1902-1908; v.3 RFC
2570-2580.
SQL*Net TCP/1521 No extended PAT. v.1 and v.2.
Sun RPC over
UDP and TCP
UDP/111 No extended PAT. The default rule includes UDP port 111;
if you want to enable Sun RPC
inspection for TCP port 111, you need
to create a new rule that matches TCP
port 111 and performs Sun RPC
inspection.
TFTP UDP/69 RFC 1350 Payload IP addresses are not translated.
WAAS No extended PAT.
XDCMP UDP/177 No extended PAT.
1. Inspection engines that are enabled by default for the default port are in bold.
2. The ASA is in compliance with these standards, but it does not enforce compliance on packets being inspected. For example, FTP commands are supposed
to be in a particular order, but the ASA does not enforce the order.
Table42-1 Supported Application Inspection Engines (continued)
Application1Default Port NAT Limitations Standards2Comments